08-12-2020 08:58 AM
My client is using EAP-TLS Fragment as 1486, i configured the Authorization profile to push accept with RADIUS Attribute Framed-MTU = 1002 but the client is not using that obviously with EAP TLS communication to fragment the large packet. Wireshark showing that ISE is pushing that 1002 MTU with the Access-Accept packet that’s mean all the EAP-TLS is using the default client 1486 MTU, so how can I configure ISE to force the client to use that MTU when they doing the EAP-TLS authentication?
reference: https://community.cisco.com/t5/network-access-control/radius-framed-mtu-attribute/m-p/3542070
Solved! Go to Solution.
08-12-2020 01:33 PM
Reading throught the article you quoted, the ISE enhancement request CSCvf52213 was applied to ISE 2.6 and 2.4.0.357-Patch2 (and later) and provided CLI option in the ISE console to set the MTU size manually per node:
interface GigabitEthernet 0
ip address 10.77.124.38 255.255.255.0
ip mtu 1300
!
interface GigabitEthernet 1
ipv6 address autoconfig
ip mtu 1300
08-19-2020 01:32 PM
Thanks ajc, but it is the same link i listed with my question...no worries, i think we can't force the client to use specific MTU using the AuthZ profile for the EAP-TLS session until it ends and then we can send it with the Access-Accept to use that specified MTU.
08-12-2020 10:11 AM
- Check if this thread can help you :
https://community.cisco.com/t5/network-access-control/radius-framed-mtu-attribute/m-p/3542066
M.
08-12-2020 10:28 AM
Thanks marce, but it is the same link i listed in the reference, wanted to know how
08-12-2020 01:33 PM
Reading throught the article you quoted, the ISE enhancement request CSCvf52213 was applied to ISE 2.6 and 2.4.0.357-Patch2 (and later) and provided CLI option in the ISE console to set the MTU size manually per node:
interface GigabitEthernet 0
ip address 10.77.124.38 255.255.255.0
ip mtu 1300
!
interface GigabitEthernet 1
ipv6 address autoconfig
ip mtu 1300
08-13-2020 08:13 AM
Thanks thomas, it seems the lowest we can go with this config per interface is 1300B which is fine in most cases, so just wondering what’s the benefit of using Radius attribute 12 “Framed-MTU” in the AuthZ profile. Is it just to push that to the users after the Authentication or we can use it somehow while the user is authenticating with ISE?
08-15-2020 10:02 PM
For details on Framed-MTU attribute refer below document:
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/118634-technote-eap-00.html#anc9
08-18-2020 07:01 AM - edited 08-18-2020 07:06 AM
Well, people are keep referring me to the same link that I listed in my question, the (EAP Fragmentation Implementations and Behavior) Doc was mentioned as a link in the posted link that I listed in my question, if that was helpful then I will not need to raise the question. Again my question is how can I configure ISE to force the client to use that MTU when they doing the EAP-TLS authentication?
08-19-2020 01:19 PM
wondering if the following link could help
https://community.cisco.com/t5/network-access-control/radius-framed-mtu-attribute/m-p/3542066
08-19-2020 01:32 PM
Thanks ajc, but it is the same link i listed with my question...no worries, i think we can't force the client to use specific MTU using the AuthZ profile for the EAP-TLS session until it ends and then we can send it with the Access-Accept to use that specified MTU.
10-08-2020 07:14 PM
So what is the use of RADIUS Attribute Framed-MTU =###; if we can't force a client to use it?
10-08-2020 07:56 PM
Actually we can use it but after the authentication, so after successful auth the client will use that MTU
01-13-2021 12:03 AM
That is a catch 22, cant auth due to mtu, cant use framed-mtu to lower mtu until authed.
01-17-2021 01:44 AM
Hi all so this is the xact point....we have same issue...in our case we have a wan infrastructure WITH GRE encapsulation and WITH switch 2960x using a framed mtu of 1500 bytes and eap tls packet exchange for sending client certificate is dropped on F5 LB...the is no manner to change framed mtu on the switch...while switch 9200L is sending out a framed mtu lower....in next months we will face a different scenario were gre infrastructure will be replaced by Sdwan WITH ipsec encapsulation so overhead will grow and probably different tuning on F5 LB will be' needed
12-14-2021 02:50 PM
Do you have any transport with higher mtu ? you could stear the eap traffic over that interface.
10-07-2022 06:24 AM
Hi,
might you be so kind to tell me how setting a lower mtu on the PSN can affect the way the remote supplicant handles his own mtu for eap tls frames?
Regards
Marco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide